Apache .htpasswd not applied to subdirectories

Question

I have several WordPress staging sites placed in a staging directory. The staging directory holds a .htaccess and .htpasswd

.htaccess:

AuthType Basic
AuthName "restricted area"
AuthUserFile /var/www/staging/.htpasswd
require valid-user

.htpasswd

username:PdadsaasdMehzdsadwad

When I place a file in this directory, the authentication process triggers appropriately, however when I place a WordPress site in the subdirectory, the authentication is not showing.

Example WP site: /var/www/staging/some-wp-site

.htaccess

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

WP Site Vhost:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName somewpsite.com
        ServerAlias somewpsite.com
        DocumentRoot /var/www/staging/some-wp-site
        <Directory />
                AllowOverride All
        </Directory>
        <Directory /var/www/staging/some-wp-site>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Require all granted
        </Directory>
</VirtualHost>

my apache.conf

<Directory /var/www/staging>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

I suspect I need to modify the vhost to use the authentication, however since I have quite a few sites in that directory I would prefer if there was a globl rul that simply triggers for any files placed in this subdirectory, no matter what another configuration says. Is this possible?

score 1 · Accepted Answer · answered Apr 23 '18 at 05:24

1

The problem is indeed that you are using .htaccess files even though you have access to the main Apache configuration files.

In general, you should only use .htaccess files when you don't have access to the main server configuration file. There is, for example, a common misconception that user authentication should always be done in .htaccess files, and, in more recent years, another misconception that mod_rewrite directives must go in .htaccess files. This is simply not the case. https://httpd.apache.org/docs/2.4/howto/htaccess.html

In this case the unexpected behavior that the .htaccess file in /var/www/staging is not applied happens because, as far as I know, Apache will only search for and apply any .htaccess files found in the DocumentRoot directory and below. I.e. only /var/www/staging/some-wp-site and subdirectories thereof.

I am fairly certain that if you create a directory block in your main httpd.conf to require Authentication on /var/www/staging it will also apply to all subdirectories and every virtual host with a DocumentRoot in there.

answered Apr 23 '18 at 05:24

HBruijn

72,524
21
127
192

i changed apache2.conf to below but still no luck... ` AuthType Basic AuthName "restricted area" AuthUserFile /var/www/staging/.htpasswd require valid-user Options Indexes FollowSymLinks MultiViews AllowOverride All ` – Daniel Klose Apr 23 '18 at 07:01
1

Additionally I've noticed that vhost rules override apache.conf rules... so this appears to be the problem. I guess I have no way than modifying the vhost and remove Require all granted – Daniel Klose Apr 23 '18 at 08:47
1

"Apache will only search for and apply any `.htaccess` files found in the DocumentRoot directory and below" - This is not actually true. Whether `.htaccess` files are applied is dependent on what area of the filesystem the `AllowOverride` directives cover, regardless of the DocumentRoot setting. (It is common to set `AllowOverride All` just on the DocumentRoot, so it might seem that this is the case.) However, the OP is already setting `AllowOverride All` on the `/var/www/staging` directory, so this is not the problem here. – MrWhite Apr 23 '18 at 20:07

score 1 · Answer 2 · answered Apr 23 '18 at 19:48

The problem is that the Require all granted directive in the <Directory> container inside your <VirtualHost> is overriding the authentication directives in the .htaccess file in the parent directory. This should be removed and instead allow access to the /var/www directory (if you have sites outside of the "staging" area) and restrict access to the /var/www/staging subdirectory, as you are doing, although it would be preferable to do this in the server config, not .htaccess.

<Directory />
    AllowOverride All
</Directory>

Also, you should never set AllowOverride All for the root directory. The Apache docs specifically warn against doing this:

For security and performance reasons, do not set AllowOverride to anything other than None in your <Directory "/"> block.

So, remove the /var/www/staging/.htaccess file and rework your vHost and apache.conf files something like the following:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName somewpsite.com
    ServerAlias somewpsite.com
    DocumentRoot /var/www/staging/some-wp-site
    <Directory /var/www/staging/some-wp-site>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All                
    </Directory>
</VirtualHost>

apache.conf:

<Directory />
    AllowOverride None
    Require all denied
</Directory>

<Directory /var/www>
    Require all granted
</Directory>

<Directory /var/www/staging>
    Options Indexes FollowSymLinks MultiViews
    AuthType Basic
    AuthName "restricted area"
    AuthUserFile /var/www/staging/.htpasswd
    Require valid-user
</Directory>

You probably also want to disable MultiViews (and Indexes) unless you are specifically using these. Otherwise, MultiViews will only probably end up conflicting with mod_rewrite at some point in your future.

Thanks MrWhite - Yes I noticed the issue with vhost overwritng apache.conf as well. I guess it leaves me no choice than to adjust every vhost in staging then. Thanks for the security fixup! — Daniel Klose, Apr 23 '18 at 22:43

Apache .htpasswd not applied to subdirectories

2 Answers2